WebCore:
authorweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Jan 2008 01:30:27 +0000 (01:30 +0000)
committerweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Jan 2008 01:30:27 +0000 (01:30 +0000)
commitcb8d78eb15db84e2159f474c99a9bd26239958e3
tree44bdef7177d318bf0a15b7e33e3ec681da01de0b
parent77d2fb58512baa69869aa126e03e3c7202d610f2
WebCore:

        Reviewed by Sam Weinig

Fixes: http://bugs.webkit.org/show_bug.cgi?id=16523
        <rdar://problem/5657447>

        When a frame is created with the URL "about:blank" or "", it should
        inherit its SecurityOrigin from its opener.  However, once it has
        decided on that SecurityOrigin, it should not change its mind.
        Prior to this patch, several events could induce the frame to change
        its SecurityOrigin, permitting an attacker to inject script into an
        arbitrary SecurityOrigin.

        This patch makes several changes:

        1) Documents refuse to change from one SecurityOrigin to another
           unless explicitly instructed to do so.

        2) Navigating to a JavaScript URL that produces a value
           preserves the current SecurityOrigin explicitly instead of
           relying on the URL to preserve the origin (which fails for
           about:blank URLs and SecurityOrigins with document.domain set).

           Ideally, we should not preserve the URL at all.  Instead, the
           frame's URL should be the JavaScript URL, as in Firefox, but this
           would require changes that are too risky for this patch.  I'll
           file this as a separate issue.

        3) Various methods of navigating to JavaScript URLs were not
           properly handling JavaScript that returned a value (and should
           therefore replace the current document).  This patch unifies
           those code paths with the path that works.

           There are still a handful of bugs relating to the handling of
           JavaScript URLs, but I'll file those as separate issues.

        Tests: http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html
               http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html
               http/tests/security/aboutBlank/xss-DENIED-set-opener.html

        * dom/Document.cpp:
        (WebCore::Document::initSecurityOrigin):
        * dom/Document.h:
        (WebCore::Document::setSecurityOrigin):
        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::changeLocation):
        (WebCore::FrameLoader::urlSelected):
        (WebCore::FrameLoader::requestFrame):
        (WebCore::FrameLoader::submitForm):
        (WebCore::FrameLoader::executeIfJavaScriptURL):
        (WebCore::FrameLoader::begin):
        * loader/FrameLoader.h:
        * platform/SecurityOrigin.cpp:
        (WebCore::SecurityOrigin::setForURL):
        (WebCore::SecurityOrigin::createForFrame):
        * platform/SecurityOrigin.h:

LayoutTests:

        Reviewed by Sam Weinig.

Fixes: http://bugs.webkit.org/show_bug.cgi?id=16523
        Adds new LayoutTests for scripting from about:blank windows.  These
        windows should inherit its SecurityOrigin from its opener and should
        refuse to change their origins when their opener changes exogenously
        (the navigate-opener tests) or explicitly (the set-opener test).

        * http/tests/security/aboutBlank: Added.
        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt: Added.
        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html: Added.
        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt: Added.
        * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html: Added.
        * http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt: Added.
        * http/tests/security/aboutBlank/xss-DENIED-set-opener.html: Added.
        * http/tests/security/resources/innocent-victim-with-notify.html: Added.
        * http/tests/security/resources/innocent-victim.html: Added.
        * http/tests/security/resources/libwrapjs.js: Added.
        * http/tests/security/resources/open-window.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29266 268f45cc-cd09-0410-ab3c-d52691b4dbfc
19 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write.html [new file with mode: 0644]
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url.html [new file with mode: 0644]
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/aboutBlank/xss-DENIED-set-opener.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/innocent-victim-with-notify.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/innocent-victim.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/libwrapjs.js [new file with mode: 0644]
LayoutTests/http/tests/security/resources/open-window.html [new file with mode: 0644]
LayoutTests/platform/win/Skipped
WebCore/ChangeLog
WebCore/dom/Document.cpp
WebCore/dom/Document.h
WebCore/loader/FrameLoader.cpp
WebCore/loader/FrameLoader.h
WebCore/platform/SecurityOrigin.cpp
WebCore/platform/SecurityOrigin.h